โ Cybersecurity Glossary
What is the NIS2 Directive?
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union’s updated cybersecurity regulation that establishes harmonized security requirements, mandatory incident reporting, and enforcement measures for essential and important entities across 18 critical sectors. It replaced the original NIS Directive on October 18, 2024, expanding scope to over 100,000 organizations with penalties up to โฌ10 million or 2% of global turnover. NIS2 mandates 10 minimum risk-management measures under Article 21, strict incident reporting timelines (24h, 72h, 1 month), supply chain security, and personal accountability for senior management. This guide covers requirements, sectors, penalties, and how Teldat’s cybersecurity solutions support NIS2 readiness.
Definition and background
The NIS2 Directive is the European Union’s comprehensive cybersecurity regulation designed to achieve a high common level of cybersecurity across all member states. Formally published as Directive (EU) 2022/2555 in December 2022, it replaced the original Network and Information Security Directive (NIS1) from 2016, which had proven insufficient in addressing the rapidly evolving cyber threat landscape.
NIS2 requires medium-sized and large organizations operating in critical sectors to implement appropriate technical, operational, and organizational measures to manage cybersecurity risks. It establishes uniform requirements for risk management, incident reporting, supply chain security, and governance accountability across the EU.
Key fact: NIS2 affects over 100,000 organizations across the EU a massive expansion from NIS1. Member states were required to transpose NIS2 into national law by October 17, 2024. Only four countries (Belgium, Croatia, Hungary, Italy) met this deadline; the European Commission opened infringement proceedings against 23 member states in November 2024.
The directive is part of a broader EU cybersecurity strategy including the Cyber Resilience Act (CRA) for hardware/software, the Digital Operational Resilience Act (DORA) for finance, and the Critical Entities Resilience Directive (CER). Together they protect the EU’s critical infrastructure, digital services, and supply chains.
NIS1 vs NIS2: key differences
The original NIS Directive laid the groundwork for EU-wide cybersecurity cooperation but suffered from inconsistent implementation, narrow scope, and weak enforcement. NIS2 addresses these gaps:
| Aspect | NIS1 (2016) | NIS2 (2024) |
|---|---|---|
| Scope | 7 sectors; member states chose entities | 18 sectors; automatic size-cap rule (50+ employees or โฌ10M+) |
| Entity classification | OES and Digital Service Providers | Essential and important entities with differentiated oversight |
| Penalties | Varied by member state; no harmonized fines | Up to โฌ10M / 2% turnover (essential); โฌ7M / 1.4% (important) |
| Management liability | Not explicitly defined | Senior management personally liable; mandatory training |
| Incident reporting | No strict timelines | 24h early warning, 72h notification, 1-month final report |
| Supply chain | Not addressed | Mandatory supply chain risk assessments |
| Enforcement | Limited supervisory powers | Proactive supervision (essential); post-incident (important) |
| Cooperation | Basic framework | EU-CyCLONe for cross-border crisis management |
Who must comply with NIS2?
NIS2 introduces a size-cap rule that automatically determines scope. Any organization with 50+ employees or โฌ10M+ annual turnover operating in a covered sector is automatically in scope.
Cross-border complexity: organizations in multiple EU countries face different national transposition rules. Telecom companies must comply in every country of service; cloud providers follow their main establishment. In January 2026, the Commission proposed amendments to simplify compliance for 28,700 organizations including 6,200+ SMEs.
Sectors affected by NIS2
NIS2 expands EU cybersecurity regulation from 7 to 18 sectors:
High-criticality sectors (Annex I essential entities)
Energy (electricity, oil, gas, hydrogen, district heating). Transport (air, rail, water, road). Banking and financial market infrastructures. Healthcare. Drinking water. Wastewater. Digital infrastructure (DNS, TLD, cloud, data centers, CDN, trust services). ICT service management (MSPs, MSSPs). Public administration (central and regional). Space.ย
Other critical sectors (Annex II important entities)
Postal and courier Waste management. Chemicals. Food production and distribution. Manufacturing of critical products (medical devices, computers, electronics, vehicles, machinery). Digital providers (marketplaces, search engines, social platforms). Research organizations
Banking note: banking and financial market infrastructures are covered by NIS2 but also subject to DORA, which takes precedence as the sector-specific regulation where requirements overlap.
NIS2 requirements: the 10 minimum measures (Article 21)
Article 21 defines ten minimum cybersecurity risk-management measures. They are technology-neutral and outcomes-basedย specifying what to achieve, not which tools to use:
Proportionality principle: controls must match the entity’s risk exposure, size, and societal/economic impact. ISO 27001-certified organizations cover much of Article 21, but gaps typically exist around supply chain security, management accountability, incident reporting timelines, and MFA requirements.
Incident reporting obligations (Article 23)
Article 23 establishes a structured, multi-phase reporting framework for significant cybersecurity incidents:
NIS2 also encourages voluntary notification of near-misses and potential threats to support collective EU threat intelligence through EU-CyCLONe.
Penalties and enforcement
NIS2 introduces harmonized sanctions comparable to GDPR:
| Category | Essential entities | Important entities |
|---|---|---|
| Maximum fine | โฌ10 million or 2% of global annual turnover | โฌ7 million or 1.4% of global annual turnover |
| Supervision | Proactive: audits, inspections, security scans | Reactive: triggered after non-compliance evidence |
| Management liability | Senior management must approve and oversee measures (Article 20). Personally liable. Mandatory training. Temporary bans possible. | |
| Enforcement powers | Binding instructions, corrective measures, mandatory public disclosure, security audits ordered by regulators. | |
GDPR overlap: an NIS2 incident may also be a GDPR breach. NIS2 will not impose an additional monetary fine for the same incident but may impose other non-financial penalties. Organizations must navigate both frameworks for incidents involving personal data.
How Teldat supports NIS2 compliance?
Meeting NIS2 requires threat detection, network security, access control, incident response, and continuous monitoring. Teldat’s portfolio addresses multiple obligations across IT and OT environments:
be.Safe XDR threat detection, incident handling, and effectiveness assessment
be.Safe XDR provides comprehensive network visibility, AI-powered threat detection with personalized ML models, and automated incident response. Supports measures 1 (risk analysis), 2 (incident handling), and 6 (effectiveness assessment). Real-time anomaly detection in encrypted traffic, behavioral analytics/UEBA, automated network reconfiguration, and Level 7 traffic analysis across IT and OT.
be.Safe Pro access control, encryption, and network security
be.Safe Pro delivers SASE with SWG and NGFW for granular access control, encryption, and application-level security. Addresses measures 8 (cryptography), 9 (access control), and 10 (MFA). 15,000+ IPS signatures, 84 browsing categories, 4,000+ application decoders, and ZTNA for Zero Trust access.
SD-WAN business continuity and asset management
CNM SD-WAN Suite provides centralized orchestration with visibility, segmentation, and policy enforcement. Supports measures 3 (business continuity) and 9 (asset management). API-driven architecture integrates with XDR for self-healing network responses. Deployed in Europe’s largest SD-WAN + XDR implementation at the Junta de Andalucรญa.
CPSTIC certified: Teldat holds both Qualified and Approved status in Spain’s CPSTIC Catalog (CCN/ENS) at the highest level (ENS Alta). This validates alignment with NIS2’s emphasis on certified, standards-compliant technologies.
Frequently asked questions – FAQ’s
โฏ What is the NIS2 Directive?
The EU’s updated cybersecurity regulation (Directive (EU) 2022/2555) requiring essential and important entities across 18 critical sectors to implement risk management, report incidents, and ensure supply chain security. Replaced NIS1 in October 2024. Affects 100,000+ organizations.
โฏ Who must comply with NIS2?
Organizations with 50+ employees or โฌ10M+ revenue in covered sectors. Essential entities (energy, transport, healthcare, banking, digital infrastructure, public administration, space) face proactive supervision. Important entities (postal, waste, chemicals, food, manufacturing, digital providers) face reactive oversight.
โฏ What are the 10 minimum measures?
Article 21: (1) risk analysis, (2) incident handling, (3) business continuity, (4) supply chain, (5) secure development, (6) effectiveness assessment, (7) cyber hygiene/training, (8) cryptography, (9) access control/asset management, (10) MFA/secure communications.
โฏ What are the NIS2 penalties?
Essential: up to โฌ10 million or 2% of global turnover. Important: up to โฌ7 million or 1.4%. Senior management personally liable. Temporary management bans possible.
โฏ How does NIS2 differ from NIS1?
Expands from 7 to 18 sectors, automatic size-cap rules, harmonized penalties, 24h/72h/1-month incident reporting, executive accountability, supply chain security. Far stricter enforcement.
โฏ What are the incident reporting deadlines?
24 hours: early warning. 72 hours: detailed notification with IoCs. Upon request: intermediate updates. 1 month: final report with root cause and mitigation.
Prepare your organization for NIS2 compliance
Teldat’s integrated cybersecurity and networking solutions help organizations across the EU build the security posture required by NIS2 from threat detection to incident response and network segmentation.
